Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Viruses in the wallet (false) #12320

Closed
ghost opened this issue Jan 31, 2018 · 11 comments
Closed

Viruses in the wallet (false) #12320

ghost opened this issue Jan 31, 2018 · 11 comments

Comments

@ghost
Copy link

@ghost ghost commented Jan 31, 2018

Sometimes I get scared of wallets that are collected.
Are you checking the packages that you are requesting for installation?
https://www.virustotal.com/ru/file/905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c/analysis/

@ghost ghost changed the title Virus in the wallet Viruses in the wallet Jan 31, 2018
@ghost ghost changed the title Viruses in the wallet Viruses in the wallet (false) Jan 31, 2018
@fanquake

This comment has been minimized.

Copy link
Member

@fanquake fanquake commented Feb 1, 2018

Where did you get Bitcoin_x64_Rus_Setup.exe? That file did not come from this repository.

@laanwj

This comment has been minimized.

Copy link
Member

@laanwj laanwj commented Feb 1, 2018

That is certainly not a file from our distribution. Make sure you only download from https://bitcoin.org or http://bitcoincore.org, and verify the signatures on the download (SHA256SUMS.asc) before using a download.

@laanwj laanwj closed this Feb 1, 2018
@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Feb 1, 2018

@fanquake @laanwj
I uploaded it here, please check
https://bitcoin.org/bin/bitcoin-core-0.15.1/

SHA256: | 905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c

I checked again
https://www.virustotal.com/ru/file/905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c/analysis/1517484517/

@laanwj laanwj reopened this Feb 1, 2018
@laanwj

This comment has been minimized.

Copy link
Member

@laanwj laanwj commented Feb 1, 2018

That's interesting. So it seems that bitcoin executables are marked as "riskware" by some AV tools (but not-a-virus)? Maybe due to botnet usage, which makes it suspicious to find it on a PC where it wasn't explicitly installed by the user.

@MarcoFalke

This comment has been minimized.

Copy link
Member

@MarcoFalke MarcoFalke commented Feb 1, 2018

Virustotal results are know to be "broken" bitcoin-dot-org/bitcoin.org#1472

@Willtech

This comment has been minimized.

Copy link
Contributor

@Willtech Willtech commented Feb 4, 2018

It may be worth validating release versions on Virustotal for false positives before release and having any issues resolved.

I have uploaded each of the freshly provided files from https://bitcoin.org/en/download and provided a comment and a thumbs-up. While this is helpful it does not actually resolve the FP.

https://www.virustotal.com/#/file/387c2e12c67250892b0814f26a5a38f837ca8ab68c86af517f975a2a2710225b/detection
https://www.virustotal.com/#/file/231e4c9f5cf4ba977dbaf118bf38b0fde4d50ab7b9efd65bee6647fb14035a2c/detection
https://www.virustotal.com/#/file/b6771c5d67fb6b9c4882cc351e579470a008211d76407155e544b28b00fcd711/detection
https://www.virustotal.com/#/file/0ce5ca1ba424603526d8a40d9321f1f735797a7205a7fbbe39561c078f2a0858/detection
https://www.virustotal.com/#/file/905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c/detection
https://www.virustotal.com/#/file/cc7a31d8fece1462955bddef87945420721e42cfe6af589a36547b0940851765/detection
https://www.virustotal.com/#/file/d64d2e27cad78bbd2a0268bdaa9efa3f1eca670a4fab462b5e851699c780e3a0/detection
https://www.virustotal.com/#/file/ceba092c9a390082ff184c8d82a24bc34d7f9b421dc5c1e6847fcf769541f305/detection

Some buffoon has already gone through previously and downvoted each one.

Note that the URL's seem to be flagged CLEAN e.g.:
https://www.virustotal.com/#/url/55cbacac023a4a89e4c66f6645013184fe83e5613434f58639818195c720bd5a/detection

@laanwj Riskware, not-a-virus, miner and, PUP detections are mostly geared toward corporate networks but confuse standard users no end.

@MarcoFalke I do not think it is particularly helpful to flag VirusTotal results as broken, it is simply a common presentation of the results of many different AV. It is quite common for not-a-virus detections and so on to be added for packages that a corporate network would likely want to be alerted to if it were present on their network. Trojan flags, on the other hand, are a definite FP by individual AV vendors. It would be more correct to say that some AV vendors are not careful or specific enough narrowing down their detections. They can easily add it to their database as FP to prevent further detections once they are communicated with. Also, some vendors do not wholly develop their own detections signatures, just copying when they can the detection signatures of others (to grow their database without needing to see or investigate samples).

You can see in the behaviour tab some of the trojan matching behaviours. While it may be possible to remove or change this behaviour if it is not necessary to be precisely as it is, such a change should not be necessary as the release version can be cleared with AV vendors if necessary before release to prevent FP's.

@Willtech

This comment has been minimized.

Copy link
Contributor

@Willtech Willtech commented Feb 4, 2018

It would be better to handle this as a part of the release schedule.

@MarcoFalke I would be prepared to do a pre-upload of each release and the URL's to VT for the team once it is compiled and testing is completed and report the results, and leave a comment along the following lines:

This is the official release vX.X.X of Bitcoin Core for {platform} {architecture} from https://bitcoin.org/en/download where you can check release signatures and review source code.

I would just need to be notified of the final download URL's once the files are pre-staged.

This should help as many AV researchers (and many of those working for the various AV vendor labs) use VT. At least some AV vendors use notification of detections by other engines, so the details are useful.

@TheBlueMatt

This comment has been minimized.

Copy link
Contributor

@TheBlueMatt TheBlueMatt commented Feb 4, 2018

@Willtech

This comment has been minimized.

Copy link
Contributor

@Willtech Willtech commented Feb 4, 2018

@TheBlueMatt True, the open-source philosophy. Note that the Windows v0.15.1 release seems to be also triggering on generic suspicious behaviour identified: https://www.virustotal.com/#/file/905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c/behavior

And, having FP's cleared up by the AV vendors before the release is public is still useful.

@bitcoin bitcoin deleted a comment from Willtech Feb 4, 2018
@bitcoin bitcoin deleted a comment Feb 4, 2018
@MarcoFalke

This comment has been minimized.

Copy link
Member

@MarcoFalke MarcoFalke commented Feb 4, 2018

Apparently, one can submit FPs to http://sd.baidu.com/en/submit-file.php

@laanwj

This comment has been minimized.

Copy link
Member

@laanwj laanwj commented Mar 5, 2018

Closing this, this is not an actionable issue with regard to the source repository, and it seems the OP deleted their account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.